Tech law, tech in law, and more

Primary Menu

iPad (and iPhone) security: passcodes

During an interview with Jenny Montgomery of the Indiana Lawyer, she posed a question to me that started me thinking. While I won’t go into the discussion we had (lest I say anything here that the Indiana Lawyer will include in its article), it seems to me that it is worthwhile to spend some time discussing the security on iOS devices.

We lawyers all know that we have an obligation to maintain client confidences and avoid their disclosure. Even something as seemingly benign as a calendar entry could be enough to reveal that a client is even consulting with an attorney. iPads and iPhones are small enough that they can be misplaced or even stolen, so owners should take some definite steps to prevent someone from accessing the data. (Even if you don’t have client information on your device, you may not want a prankster colleague to post the latest photos of you wearing a coconut bra and grass skirt on Facebook.)

The first step to securing your iOS device is to use the Passcode Lock feature. You can find this in the Settings app, under General. Passcode Lock should be turned on. In addition, you should turn off the Simple Passcode setting. Apple will let you use Simple Passcode’s four-character passcode, but that is not the wisest move. When you tap your passcode into the iPad or iPhone, your finger leaves a trace of oil behind on the screen. Considering that there are only four digits allowed, and your fingerprints may point to the four numbers you have in your passcode, it doesn’t take much to realize that there are only 256 possible combinations that might unlock your device. Someone might just get lucky and guess your passcode. (You could reduce this risk by wiping your screen clean on a frequent basis, but usually it’s the people with a form of OCD who are best at using that tactic.)

One way you can mitigate this risk is by turning the Erase Data feature on. With this turned on, all data on your device is erased after ten failed passcode attempts. While a thief still might get lucky and guess your code on the 7th try, using Erase Data increases the odds in your favor. Of course, if your device erases itself, you’ll want to have a very current backup of the device’s data stored on your computer.

Instead of using the four-digit simple passcode, turn that feature off and use a longer passcode. I happen to use a nine-character passcode that includes capital letters, numbers, and symbols. I also have the data erase feature turned on, so any thief is going to have to be incredibly lucky to guess the passcode within ten attempts.

At first, using a passcode longer than four characters may seem a hassle, but after a while it’s not even noticeable. Even so, the minor inconvenience is small compared to the potential loss of sensitive data—or worse, having to respond to a disciplinary complaint filed by an angry client after his information was lost or revealed.

In forthcoming posts, we will look at more security issues involving our favorite mobile devices.